Monday, March 14, 2011

FTC Announces Behavioral Tracking Enforcement Action

By Mehmet Munur

The Federal Trade Commission announced an enforcement action today against an online advertising network that restarted tracking of users 10 days after those users had opted out of online tracking. This is likely the first FTC enforcement action in the behavioral tracking context and likely the first time browser cookies played a central role in an FTC enforcement action. The enforcement action sets a serious precedent for importance of making accurate statements regarding the use of behavioral tracking and following through on those statements.

The consent order also includes numerous requirements regarding the deletion of data, displaying new notices regarding the opt-out, and developing a method of opting out apart from the controls already present in users’ browsers. Clearly, the FTC remains willing to bring enforcement actions against online practices it believes to be deceptive, regardless of congressional action in the field of online behavioral tracking and regardless of how small the harm may seem.

Chitika is an online advertising network and works in the field of online behavioral targeting. Chitika tracks its users with the aid of browser tracking cookies placed on a user’s device. Chitika adds information to the tracking cookie about the user’s browsing activities after it is set and uses this information to serve the user with relevant advertisement. However, this tracking, according to the FTC, is “not visible to the consumer, unless the consumer uses sophisticated web diagnostics tools.” Furthermore, the FTC was concerned that the tracking would continue indefinitely so long as the user visited a website using the Chitika network with the same browser.

In its complaint, the FTC also alleges that Chitika implied that its tracking would cease for a reasonable period of time but that the tracking resumed after 10 days. As a result, Chitika’s representations were deceptive. Chitika’s privacy policy played a central role. It stated:

When users visit a page in the Chitika network, one or more cookies - a small file containing a string of characters - are set to the computer that uniquely identifies the users (sic) browser. Chitika uses cookies to improve the quality of the targeting service by storing anonymous activity data and tracking user trends, such as how people search and browse. Users can reset their browsers to refuse all cookies or to indicate when a cookie is being sent. . . . Chitika encourages and promotes business practices that protect and honor the privacy of users. You can opt-out of receiving Chitika cookies by using the button below.

After users clicked the opt-out button, Chitika told the user that they were opted out. However, these opt-out cookies expired after 10 days and Chitika restarted tracking after this time. Users were not told that the opt-out cookie would expire after 10 days. The FTC concludes that Chitika represented “expressly or by implication, that when consumers opt out of targeted advertising by Chitika, such opt-out [would] last for a reasonable period of time.” The fact that the tracking resumed after 10 days, resulted in deception in the FTC’s view.

The consent order that followed the FTC investigation requires Chitika not to

misrepresent in any manner, expressly or by implication: (A) the extent to which consumers may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities, or (B) the extent to which data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.

The consent order also requires Chitika to place disclosures on its websites about the expired opt out and

provide a mechanism, separate and apart from any preferences or controls offered by consumers’ browsers, to enable Chitika users to prevent respondent from collecting data that can be associated with a Chitika user or a Chitika user’s computer or device, or that contains any unique identifier, including Chitika user ID or Internet Protocol (IP) address; from redirecting Chitika users’ browsers to third parties that collect data, absent a click or other affirmative action by such Chitika user; and from associating any previously collected data with any Chitika user’s computer or device. This mechanism shall require no more than one additional click for consumers to exercise their choice(s), and shall remain in effect for a minimum time period of five (5) years, unless the consumer deletes his or her cookies or takes deliberate action to disable the mechanism.

Finally, within 90 days, Chitika must include a link in its ads to the website that would allow individuals to opt out of the tracking. Chitika must also destroy all IP addresses and unique identifiers and all information stored in user’s cookies.

As is typical of FTC enforcement actions, the order lasts for 20 years. However, there is no biennial audit requirement. Instead, for a period of 5 years, Chitika must maintain and make available to the FTC any documents, that relate to the collection of information from users, including FAQs, privacy policies, and Terms of Use.

This most recent enforcement action from the FTC is not unexpected. FTC recently released the Do Not Track report that we blogged about. There, the FTC stated that consumers should be entitled to choice about online behavioral tracking and that

The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads. Commission staff supports this approach, sometimes referred to as “Do Not Track.”

Thus, the Chitika enforcement action is completely in line with the persistent online tracking choices that FTC would like to encourage.

The FTC now reiterates its willingness to change practices in the arena of online behavioral tracking by putting the cookies center stage. It is also noteworthy that the enforcement action comes before the Do Not Track report is finalized. After all, that report was a preliminary report.

As a result, statements and practices about cookies, especially behavioral tracking cookies, are now more important than ever. These practices will only increase in importance as the FTC reviews all the comments relating to its report and issues a final report. It appears that regardless of legislation in this area, the FTC will continue to bring enforcement actions against deceptive practices relating to behavioral tracking.

This web site provides general information about our firm for your convenience. This website and its content do not establish an attorney/client relationship between us. Information on the site is not legal advice.
Do not send confidential information to any of our lawyers without first obtaining our permission.